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Abstract:  A program  annotated  with  inductive  assertions  is  said  to  be  verification  decidable 
if  all  of  the  verification  conditions  generated  from  the  program  and  assertions  are  formulas 
in  a decidable  theory.  We  define  a theory,  which  we  call  Presburger  array  theory, 
containing  two  logical  sorts;  integer  and  array-of-integer.  Addition,  subtraction,  and 
comparisons  are  permitted  for  integers.  We  allow  array  contents  and  assign  functions,  and, 
since  the  elements  of  the  arrays  are  integers,  array  accesses  may  be  nested.  The  first 
result  is  that  the  validity  of  unquantified  formulas  in  Presburger  array  theory  is  decidable, 
yet  quantified  formulas  in  general  are  undecidable.  We  also  show  that,  with  certain 
restrictions,  we  can  add  a new  predicate  Perm(M,N)  — meaning  array  M is  a permutation  of 
array  N — to  the  assertion  language  and  still  have  a solvable  decision  problem  for 
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1.  Introduction 


The  theory  of  program  schemata  gains  power  by  dealing  with  classes  of  programs 
instead  of  individual  programs.  Once  we  establish  some  result  about  a program  schema  we 
can  apply  that  result  to  any  program  which  is  an  instance  of  the  schema.  Unfortunately,  for 
those  of  us  interested  in  verification,  the  theory  of  program  schemata  has  not  provided 
many  positive  results,  and  is  still  unsuccessful  in  providing  tools  for  proving  program 
correctness. 

One  reason  for  this  might  be  that  schemata  do  not  divide  the  class  of  all  programs  into 
the  kind  of  subclasses  useful  for  verification.  A correctness  proof  for  one  instance  of  a 
schema  is  of  almost  no  use  when  trying  to  find  a proof  of  correctness  for  another  instance, 
simply  because  the  two  programs  may  be  working  with  entirely  different  data  types, 
functions  and  predicates.  The  fact  that  two  programs  share  the  same  control  structure  has 
almost  no  verification  significance. 

We  suggest  that  programs  be  classified  according  to  the  kinds  of  verification  conditions 
they  generate.  Since  the  verification  conditions  depend  on  both  the  program  and  the 
inductive  assertions,  we  classify  not  programs  per  se,  but  annotated  programs,  complete 
with  pre-  and  post-condition  and  loop  invariant  assertions.  For  example,  if  a program  uses 
only  type  integer  with  +,  »,  and  < and  if  all  of  its  inductive  assertions  use  only  +,  =,  and 

< as  well,  then  all  of  the  verification  conditions  will  be  well-formed  formulas  of  Presburger 
arithmetic.  Since  the  theory  of  Presburger  arithmetic  is  well-known  to  be  decidable,  the 
weak  correctness  problem  for  the  entire  class  of  "Presburger  arithmetic  programs"  is 
decidable. 

The  advantage  of  this  classification  is  that  most  of  the  variants  of  programs  which 
implement  the  same  or  the  similar  algorithms  can  be  in  one  class.  The  assertions  of  the 
programs  which  implement  the  similar  algorithm  are  very  similar.  Thus,  one  can  use  the 
same  proof  procedure  for  all  the  programs  which  implement  the  similar  algorithms. 

Unfortunately  not  much  work  has  been  done  exploring  the  decision  problems  for  weak 
correctness  of  classes  of  programs  defined  this  way.  When  all  of  the  verification  conditions 
for  a class  of  (annotated)  programs  fall  in  a decidable  theory,  we  say  that  the  class  is 
verification  decidable.  What  we  will  explore  here  is  the  verification  decidability  of  certain 
classes  of  programs  which  use  arrays.  We  investigate  the  theory  of  arrays  of  integers  with 
operations  restricted  to  addition  and  subtraction  and  call  this  Presburger  array  theory.  The 
first  result  of  this  paper  is  in  section  3;  the  validity  problem  for  unquantified  well-formed 
formulas  of  Presburger  array  theory  is  decidable.  We  conclude  from  this  that  the  weak 
correctness  problem  for  programs  using  integers  and  arrays  of  integers  and  having 
unquantified  assertions  is  decidable.  We  also  show  that  since  we  can  encode  multiplication 
by  using  addition  and  one  dimensional  arrays,  the  theory  is  undecidable  for  quantified 
formulas  in  general. 


There  are  probably  not  many  interesting  array  programs  whose  inductive  assertions 
ate  expressible  in  such  a weak  assertion  language  . What  we  would  like  is  an  assertion 
:)  language  powerful  enough  to  express  interesting  assertions  about  an  interesting  class  of 

. 
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programs,  such  as  sorting  programs,  but  for  which  the  decision  problem  for  the  verification 
conditions  generated  is  solvable. 

One  way  to  extend  the  assertion  language  is  to  add  new  (interpreted)  predicate 
symbols.  In  section  4 we  consider  the  addition,  in  a limited  way,  of  a predicate  Perm(M,N), 
meaning  array  M is  a permutation  of  array  N.  The  perm  predicate  can  be  defined  by  a 
second-order  formula  as  follows: 

Perm(M,N)  » (3f )[(Vx,y)(f(x)-f(y)  3 x-y)  A (Vz)(M[z]-N[f(2)])]. 

We  show  in  section  4 that  the  weak  correctness  problem  for  annotated  programs  using  the 
Perm  predicate  in  assertions  (subject  to  limitations)  is  decidable.  This  result  is  valuable 
because  for  almost  every  known  one-array  sort  program  it  is  the  case  that  the  inductive 
assertions  necessary  to  prove  that  the  output  is  a permutation  of  the  input  can  be  written 
easily  in  the  assertion  language  we  permit.  Thus,  the  problem  of  verifying  whether  or  not  a 
candidate  sorting  program  satisfies  the  permutation  condition  is  decidable. 


2.  Notations  and  Definitions 


Presburger  arithmetic  is  the  first  order  theory  of  integers  with  addition  and  no 
multiplication.  The  particular  characterization  we  choose  has 

constants  ; 0,1 
functions  symbols  : +,- 
predicate  symbols  : -,<. 

This  theory  is  known  to  be  decidable  [Hilbert]. 

Presburger  array  theory,  which  we  denote  by  Lp^,  is  a two-sorted  theory  with  sort 
integer  and  sort  array  of  integer.  We  use  Oj  to  denote  the  domain  of  integers  and  to 
denote  the  domain  of  array  of  integers.  The  language  consists  of, 

constants  : constants  of  Presburger  theory; 

(unction  symbols  : ♦,- 

<♦,*,*>  : X Dj  X Dj  -*  D^,  (array  assign) 

*[•]  : X D|  -*  Dj.  (array  access) 

We  used  * to  denote  the  location  of  the  arguments 
for  the  two  functions  involving  arrays, 
predicate  symbols:  -,<. 

Terms  of  sort  integer  is  defined  as  follows. 

1)  The  constants  and  the  variables  of  sort  integer  are 
terms  of  sort  integer. 
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2)  If  aj  and  ^2  are  terms  of  sort  integer, 
so  are  a^*32  and  a^-32- 

3)  If  A is  a term  of  sort  array  and  i is  a term  of 
sort  integer,  then  A[i]  is  a term  of  sort  integer. 

A)  These  are  all  the  terms  of  sort  integer. 

Terms  of  sort  array  are  defined  as  follows. 

1)  Variables  of  sort  array  are  terms  of  sort  array. 

2)  If  A is  a term  of  sort  array,  and  i and  e are  terms  of 
sort  integer,  then  <A,i,e>  is  a term  of  sort  array. 

3)  These  are  all  the  terms  of  sort  array. 

Atomic  formulas  are  defined  as  follows. 

1)  If  aj  and  32  are  ternis  of  sort  integer  then 
(31*32)  and  (ai<a2)  are  atomic  formulas. 

2)  These  are  all  the  atomic  formulas. 

Well-formed  formulas  are  defined  as  follows. 

1)  Atomic  formulas  are  well-formed  formulas. 

2)  If  A and  B are  well-formed  formulas  and  x is  a 
variable,  then  (->  A),  (A  v B),  (A  a B),  (A  o B), 

(A  * B),  Gx.A),  and  (Vx.A)  are  all  well-formed 
formulas. 

3)  These  are  all  the  well-formed  formulas. 

McCarthy  [McCarthy]  has  introduced  the  notion  of  states  and  described  the  semantics 

of  Algol-like  programs.  He  defined  two  functions,  assign  and  contents,  to  change  states  and 

obtain  values  of  program  variables  in  the  state.  He  defined  these  functions  by  two  axioms: 


Al.  contents(assign(S,x,e),x)  - e 

A2.  contents(assign(S,x,e),y)  - contents(S,y) 

where  x and  y are  distinct  variables. 


Kaplan  [Kaplan]  has  shown  that  these  axioms  are  complete  if  the  only  well-formed  formulas 
permitted  are  equality  between  terms  and  if  no  function  symbols  are  interpreted  except 
assign  and  contents. 

King  [King]  has  used  McCarthy’s  idea  to  describe  effects  of  assignments  on  arrays.  In 
his  formalism  assign(M,i,e)  changes  the  value  of  the  i-th  element  of  array  M to  e,  and 
contents(M,i)  obtains  the  value  of  the  i-th  element  of  array  M.  The  axioms  corresponding  to 
McCarthy’s  axioms  are: 

Axl.  i-j  3 confents(assign(M,i,e),j)  « e 

Ax2.  i»<j  o contents(assign(M,i,e),j)  ■ conlents(M,j). 

In  this  paper  we  will  use  more  popular  notations  <M,i,e>  and  M[i]  instead  of  assign  and 
contents  respectively. 
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Besides  the  axioms  Axl  and  Ax2,  we  use  two  other  axioms  equating  the  meaning  of 
arrays  to  functions. 


Axl.  Vx,y,e,M.(x-y  s <M,x,e>[y]»e). 

Ax2.  Vx,y,e,M(.x^y  3 <M,x,e>[y]*M[y]). 

Ax3.  Vx,y,a,b.3M.  (M[x]-y  a (xr^y  o M[y]»b)). 

AxA.  Vx.M.N.  (M[x]-N[x]  3 M-N). 

We  will  denote  the  above  set  of  axioms  by  A.  In  addition  we  will  use  the  axioms  of 
Presburger  arithmetic  augmented  with  equality  substitution  axioms  for  any  wffs  of 
Presburger  array  theory.  We  denote  this  set  by  P. 


•cision  Procedure  for 
Presburger  Array  Theory 


In  this  section  we  present  an  algorithm  for  deciding  the  truth  or  falsity  of  unquantified 
formulas  of  Presburger  array  theory,  Lp^. 

The  algorithm  is  as  follows. 


Step  1 

From  the  definition  of  well-formed  formulas  there  is  at  least  one  occurrence  of  a term 
of  the  form  <M,x,e>[y]  if  there  is  at  least  one  occurrence  of  the  array  assignment 
function  <M,x,e>.  We  eliminate  this  occurrence  of  the  array  assignment  by  the 
following  procedure.  Let  us  denote  the  formula  by  R(<M,x,e>[y]),  where  <M,x,e>[y] 
indicates  the  occurrence  in  question.  We  transform  this  formula  to 

[ x-y  3 R(e)  ] A [ %/y  3 R(M[y])  ] . 

Note  that  this  is  still  a formula  of  Lp^.  It  has  one  fewer  occurrences  of  the  assignment 
function  than  the  original  formula.  We  repeat  step  1 until  there  are  no  more 
occurrences  of  the  assignment  function. 

Step  2 and  Step  3 are  repeated  for  each  different  array. 


Step  2 
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If  the  formula  is  of  the  form  R(M[xq])  where  xq  does  not  contain  any  occurrence  of 
contents  function,  we  create  a new  variable  aQ  and  replace  the  formula  by 

^ there  are  still  occurrences  of  the  contents  function  in  R(aQ)  then 

we  apply  this  transformation  again  to  Rfar,)  and  iterate.  Finally  we  get  a formula  of 
the  form 


M[xo]-ao  = (M[xi>ai  o (...(M[x^]=a^  o R(ao,...,a^))...)) 

where  R(aQ a^)  does  not  contain  any  occurrence  of  the  contents  function.  This 

formula  is  equivalent  to 


(M[xo]-ao  A ...  A M[x„]=ar,)  =*  R(ao,...,a^). 

Step  3 

There  are  no  nested  occurrences  of  the  contents  function  in  the  formula  obtained  after 
step  2.  We  convert  the  antecedent  part  (M[xf)]=ao  a ...  a M[x_]=a„)  to  the  formula 
0(n)  defined  below.  " " 

0(0) a True. 

0<J*1)  • 0(j)  A p ai-aj*l)  A ...  A (Xj-Xj^i  p 0^0) 

Thus,  we  obtain 

0(n)  p R(aQ,...,aj.,). 

Since  there  is  no  assignment  or  contents  function  and  this  formula  is  a formula  of 
Presburger  arithmetic  we  can  decide  the  validity. 

end  of  procedure. 


It  IS  obvious  that  this  procedure  terminates.  In  each  iteration  of  step  1 we  eliminate 
one  occurrence  of  <M,x,e>,  and  in  each  iteration  of  step  2 we  eliminate  one  occurrence  of 
M[x]  . Step  3 terminates  because  the  definition  of  Q(n)  is  primitive  recursive.  What  we  will 
prove  IS  that  the  procedure  transforms  the  formula  to  an  "equivalent"  formula. 


Theorem 

This  decision  procedure  transforms  a formula  R to  an  "equivalent"  formula  R’  in  the 
sense  that  P , A |-  R iff  P , A |-  R’. 


Ir 
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Proof 


1.  Transformation  by  step  1)  is  correct: 

The  following  is  an  obvious  consequence  of  Axl,  Ax2,  and  equality  substitution. 

P , A |-  R(<M,x,e>[y])  s (x=«y  o R(e))  a (xi^y  = R(M[y])). 

2.  Transformation  by  step  2)  is  correct: 

We  prove  that  for  any  formula  R 
P , A 1-  R(M[x])  s (Va.a=M[x]  =>  R(a)). 
by  the  following  chain  of  reasoning, 

(Va.a-M[x]  R(a))  * (Va.a=M[x]  o R(M[x]))  h (3a.a=M[x]>  o R(M[x])  s R(M[x]). 

3.  Transformation  by  step  3)  is  correct. 

We  will  prove 

P , A 1-  (M[xo]=aQ  A ...  A M[Xr,]=a„)  o R(ao,...,a„)  iff  P , A |-  Q(n)  =>  R(aQ,...,a„ 
Since  there  is  no  free  occurrence  of  M in  R(aQ,...,a^), 

P , A |-  (M[xQ]=ao  A ...  A M[x^]'a^)  o R(aQ,...,a^) 
iff 

P , A |-  (3M.(M[xQ]=aQ  A ...  A M[x^]=a^))  =>  R(aQ,...,a^). 

We  now  reduce  the  problem  to  showing 

P , A I-  (3M.(M[xQ]=ao  A ...  A M[x^]=ar,))  ^ ^ I" 

which  we  prove  by  induction  on  n. 

1)  If  n-0  the  left  hand  side  is 

3M.M[xo]»ao. 

Prom  Ax3  P , A |-  3M.M[xQ]-aQ.  Since  P , A |-  0(0),  the  proposition  is  true  for  n=0. 

2)  Assume  the  proposition  is  true  for  n*j, 

that  is  P , A |-  3M.(M[xQ]-aQ  a ...  a M[xj]»aj)  iff  P , A |-  Q(j). 

To  prove  the  proposition  in  the  forward  direction  for  n»j  + l 
we  assume  (3M.(M[xQ]«aQ  a ...  a M[xj+i]=*aj+i),  which  is  equivalent  to 
3M.[(M[xQ]=ao  A ...  A M[Xj]=3j)  a M[Xj+ j ]-aj+ 1 ]. 

For  a new  array  constant  Mq 

IS  true  from  the  assumption. 

Using  the  inductive  hypothesis  we  can  deduce 
0(j). 

Also  by  equality  substitulion 

X|-Xj^l  3 Mo[x,]-Mo[Xj.,l]. 

By  equality  substitution 

Thus,  A 3 a.-a.  + l]- 

Isisj  ' 

So  we  can  deduce  Q(j>l). 
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Conversely,  to  prove  the  proposition  for  n=j*l  m the  reverse  direction, 

ar.sunie  tliat  is  Q(j)  a ( A [X|=x  3|  = a j])  is  true. 

l<i<j 

By  inductive  hypothesis  3M.  A M[x.]=a  is  true. 

l<i<j 

That  IS,  for  a new  constant  Mq,  A (MQ[x|]»a|). 

1 <i<j 

By  Ax3,  for  new  constants  , ...  , Mj 

^lL><j  + l]=3j4l  ^ = MiLxi]=aj). 

Mj[Xj*i]-3j^1  a (Xj?<Xj^j  o Mj[x^]=aj). 

It  Xj=Xj^j  then  ai=aj^j  and  thus  Mq[x j ]=Mj[xj^ j ] or 

Mo[xi]=Mi[xi],  Using  Ax4  Mq=Mj  or  Mq[Xj^ j ]=aj^. 

Pepeating  the  above  step  for  i»l  to  j,  A (x|=x:  3 + 

l<i<j  ' 

On  the  other  hand  if  xjj^x^^j  A ...  a x^j^x^^j  then  Mq=M2  a ...  a Mq=Mj 
or  Xj^Xj^l  A ...  A Xjr^Xj.,1  o MQ[Xj.,l]=aj.,l. 

Thus,  Mo[Xj^.i]-aj.^j. 

So  3M.  A (M[x,]-a,). 
l<i<j  + l 

OED 

We  have  shown  that  unquantified  Presburger  array  formulas  are  decidable.  However, 
we  cannot  in  general  decide  the  validity  of  quantified  Presburger  array  formulas.  The 
reason  is  that  we  can  encode  square  function  by  an  array  as  follows: 

M[0]“0  A Vi.i>0  o M[i  + l]=M[i]-fi+i  + l. 

Then  the  multiplication  can  be  performed  as  tvi[a*b]-M[a]-M[b].  With  multiplication 
along  with  addition  we  can  encode  any  recursive  functions,  and  the  validity  problem  in  this 
theory  becomes  unsolvable. 

The  implication  of  the  verification  decidability  results  is  that  if  the  only  function 
symbols  the  program  uses  on  integer  sort  expressions  are  addition  and  subtraction,  and  the 
assertions  are  written  by  Presburger  array  language,  then  the  correctness  is  decidable. 

This  is  not  itself  a very  strong  result.  To  be  able  to  decide  correctness  of  more 
interesting  programs  like  sorting  programs  we  have  to  find  finer  subclasses  of  Presburger 
array  theory  than  is  possible  by  classifying  according  to  prenex  normal  form  quantifier 
prefixes. 


One  way  is  to  follow  what  the  people  have  been  doing  in  practice  [Suzuki].  We 


Pa^e  8 


Verification  Decidability 


introduce  new  predicate  symbols  to  denote  certain  well-formed  formulas  and  obtain  the 
decision  procedure  for  the  limited  formulas.  The  next  section  deals  with  such  an  example. 


4.  Decision  Procedure  for  Permutation 


In  this  section  we  consider  the  problem  of  deciding  whether  or  not  a designated  array 
in  sonie  program  has  a final  value  which  is  a permutation  of  its  initial  value.  Thus,  we  want 
a procedure  which  can  prove  (or  disprove)  results  of  the  following  form; 

P A Perm(M,MQ)  { program(M)  } Perm(M.MQ)  . 

The  variable  M is  assumed  to  be  the  array  in  question,  and  Mq  is  its  initial  value.  The 
atomic  formula  Perm(M,MQ)  means  that  the  array  M is  a permutation  of  the  array  Mq.  The 
symbol  P stands  for  other  preconditions  which  do  not  use  the  Perm  predicate. 

More  precisely,  we  consider  the  class  of  all  programs  which  use  the  data  sorts  integer 
and  array-of '•integer.  For  the  integers  we  allow  operations  * and  -,  and  predicates  * and  <. 
Multiplication  and  division  are  excluded,  as  before,  so  we  can  work  in  the  decidable  theory 
of  Presburger  arithmetic.  For  our  purposes  it  will  be  sufficient  to  consider  arrays  which 
are  infinite  in  both  directions.  The  complications  which  are  introduced  by  arrays  with  upper 
and  lower  bounds  are  unnecessary  for  the  simple  sorting  programs  which  are  our  targets. 
The  array  contents  and  assign  functions  are,  of  course,  permitted  for  arrays,  but  the  array 
equality  predicate  is  not. 

We  require  inductive  assertions  to  be  of  the  form 

P A Perm(M,MQ) 

where  either  conjunct  may  be  absent.  M may  be  any  array  expression,  but  Mq  must  be  a 
simple  variable  which  does  not  appear  anywhere  in  the  program  (though  it  may  appear  in 
the  Perm  conjunct  of  other  assertions.)  P may  be  any  unquantified  Presburger  array 
formula  over  the  sorts  integer  and  array-of-integer,  but  it  may  not  contain  any  occurrence 
of  the  Perm  predicate.  We  call  this  assertion  language  Lp^  with  Perm. 

For  programs  and  inductive  assertions  of  the  kind  we  have  described  the  verification 
conditions  all  have  the  form 

(1)  ^ Perm(M.MQ)  o P2  a Perm(M,MQ) 

where  Pj  and  P2  are  Presburger  array  formulas,  M is  an  array  expression,  and  Mq  Is  an 
array  variable  which  does  not  appear  in  M,  Pj,  or  P2.  Most  of  the  remainder  of  this  section 
is  devoted  to  a decision  procedure  for  formulas  of  the  form  (1).  Throughout  this  algorithm 


Verification  Decidability 


Page  9 


we  rely  heavily  on  the  result  of  the  previous  section  that  unquantified  formulas  in  the 
language  of  Presburger  array  theory,  Lp^,  are  decidable. 

Before  we  give  the  decision  procedure,  however,  we  should  note  th«t  the  theory  we 
arc  developing  is  applicable  to  almost  all  known  one-array  sorting  programs.  In  each  case 
they  confine  themselves  to  the  Presburger  arithmetic  subtheory  of  the  integers. 
Furthermore,  they  satisfy  the  assertion  language  restrictions  we  made  since  loop  invariants 
sufficiently  strong  to  prove  the  permutation-preserving  property  of  the  program  can  be 
written  very  naturally  m the  assertion  language  Lp^  with  Perm.  In  fact,  they  usually  can  be 
written  as  single  Perm  atomic  formula  without  the  need  for  the  optional  Presburger  array 
formula  conjunct  that  we  allow.  In  that  sense  the  result  we  present  is  stronger  than 
needed  for  our  target  sort  programs. 

We  now  proceed  with  the  decision  procedure  for  formulas  of  the  form  (1). 

Step  1: 

Formula  (1)  can  be  broken  into  two  smaller  formulas,  namely 

(2)  P^  A Perm(M,MQ>  3 P2 
and 

(3)  ^ Perm(M,MQ)  ^ Perm(IM,MQ)  . 

Clearly  formula  (1)  is  TRUE  if  and  only  if  formulas  (2)  and  (3)  are  both  TRUE. 

We  can  dispose  of  (2)  easily  by  noting  that  since  Mq  does  not  occur  in  Pj  or  P2,  the 
P*>rm(M,MQ)  conjunct  of  the  hypothesis  is  irrelevant  and  can  be  eliminated.  Formula  (2)  is 
true  if  and  only  if 

(4)  Pj  3 P2 

IS  true.  Since  (4)  is  in  Lp^,  its  truth  is  decidable.  The  proof  that  (2)  is  equivalent  to  (4)  is 
quite  short. 

Pj  A Perm(M,MQ)  3 P2  | Assumption 

VMq.(Pj  a Perm(M,MQ>  3 P2)  1 V-gen 

Pj  a 3MQ.(Perm(M,MQ))  3 P2  j Mq  does  not  occur  free  in  Pj  or  P2 

Pj  3 P2  I 3MQ.(Perm(M,MQ))sTRUE 

Each  step  in  the  above  transformation  is  reversible,  so  (2)  is  true  if  and  only  if  (4)  is  true. 

If  (4)  is  false  we  terminate  the  decision  procedure  negatively.  If  not,  we  continue  to 
try  to  prove  formula  (3). 


Page  10 


Verification  Decidability 


Step  2: 

Because  Perm  is  an  equivalence  relation,  formula  (3)  is  equivalent  fo 
(b)  ^ Perm(M,MQ)  p Perm(M,N) 

Once  again,  because  Mq  does  not  occur  free  in  Pj,  M,  or  N,  we  can  demonstrate,  by  a 
proof  nearly  identical  to  the  one  in  step  1,  that  the  second  conjunct  of  (5)  is  irrelevant  and 

(5)  is  true  if  and  only  if 

(6)  Pj  p Perm(M,N) 

is  true. 

In  (6)  both  M and  N are  terms  of  array  sort,  i.e. 

M = <...<V(^,i,e>...>  and 
N = <...<V|\|,j,f>...>  . 

Thus,  both  M and  N represent  infinite  arrays  to  which  at  most  finite  number  of  changes 
(assign  operations)  have  been  made.  Since  Pj  is  unquantified,  it  can  only  constrain  the 
values  of  a finite  number  of  the  elements  of  M and  N.  Consequently,  the  only  way  that  (6) 
can  be  true  for  all  assignments  of  the  variables  — in  particular  for  all  assignments  of  Vj^ 
and  V|^J  --  IS  for  and  Vf^  to  be  the  same  variable. 

Thus,  if  is  not  the  same  variable  as  V^^,  terminate  negatively. 

Explanation  about  Step  3: 

We  now  come  to  the  heart  of  the  decision  procedure.  By  step  2 we  can  rewrite  (6)  as 

(7)  Pj  p Perm(<...<V,i,e>...>,<...<V,j,f>...>) 

Formula  (7)  says  that  array  V,  after  a certain  finite  sequence  of  assign  operations,  is  a 
permutation  of  the  same  (infinite)  array  V after  a different  finite  sequence  of  assign 
operations.  Each  assign  operation  can  be  viewed  as  the  removal  of  one  element  from  the 
array  V and  the  insertion  of  another.  We  come,  then,  to  the  fundamental  idea  of  our 
decision  procedure:  if  we  let  be  the  multiset  of  elements  inserted  into  the  first  array  by 
assignments,  and  D|^  be  the  multiset  of  elements  deleted  ( nm  it  by  assignments,  and  if  we 
let  Ifg  and  Dfg  be  defined  similarly  for  the  second  term,  the  (7)  holds  if  and  only  if 

(8)  Im  * ’ 'n  * °M 

IS  TRUE  as  a multiset  equation  with  the  assumption  P^.  (The  + stands  for  multiset  union.) 
More  precisely,  since  D|^,  and  Dfj  are  multisets  of  terms,  we  must  show  that  (8)  is 

true  for  all  assignments  of  the  variables  for  which  Pj  is  TRUE,  i.e. 
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At  this  point  we  are  in  a position  to  conclude  that  formulas  of  the  form  of  (1)  are  decidable. 
We  have  reduced  it  to  the  problem  of  deciding  the  truth  of  formulas  of  the  form  (9).  Since 
in  (9)  the  multisets  in  the  consequence  are  finite  and  explicitely  listed,  v/e  can  express  the 
equation  as  a finite  set  of  disjuncts  of  conjuncts.  For  example,  the  following  formula  in  the 
form  of  (9) 

P 3 |a,b,c}  - {d,e,f} 
can  be  expressed  less  tersely  as 

P 3 (a-d  A b«e  a c-f)  v 
(a-e  A b»d  a c-f)  v 


If- 


(a-f  A b=e  A c-d) 

with  SIX  disjuncts.  In  general,  there  will  be  n!  disjuncts  if  the  multisets  contain  n 
expressions  each.  The  resulting  formula  is  in  Lp^,  and  therefore  decidable.  But  using  the 
decision  procedure  for  directly  in  this  way  would  be  intolerably  slow  in  most  cases,  and 
therefore  we  propose  a more  practical  continuation  of  the  decision  procedure  in  step  3. 

Step  3: 

We  begin  by  computing  1^^,  Ij^,  and  D[^  using  the  following 

symbolic  algorithm. 

begin 

multiset  of  integer  expression  ; I|vj,  D|^,  D|sj; 
array  expression  ; M,  N,  MM,  NN,  Xj 
integer  expression  : i,ej 

•m  *•  *N  I^M 
MM  ♦-  M ; NN  ♦-  N ; 
do 

MM  ~ <X,i,e>  -*  «-  D|^  + {X[i]};  *-  I|,,^  ♦ {e};  MM  ♦-  X || 

NN  ~ <X,i,e>  -*  Dfg  *-  ♦ {X[i]};  I(m  *-  Im  + {e);  NN  *-  X 

od 
end 

The  first  four  lines  of  the  algorithm  are  declarations  indicating  the  types  of 
expressions  the  variables  may  take  as  values.  The  do  — od  construct  is  Dijkstra’s 
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nondetermiristic  repetitive  guarded  command  construct  [Dijkstra].  The  " sign  is  a pattern 
match  operator  which  can  be  read  ”is  of  the  form".  If  returns  true  or  false  according  to 
whether  or  not  the  match  succeeds,  and  has  the  side-effect  of  binding  the  variables  in  the 
right-hand  argument  whenever  the  match  succeeds. 

Having  computed  I|\j,  and  D|\^,  we  need  to  prove  (9).  We  can  do  this  if  we  have 
an  algorithm  for  proving 

(10)  P 3 Sj  >•  $2 

where  P is  a Presburger  array  formula  and  Sj  and  $2  are  multisets  of  integer  expressions. 
Wfc  propose  to  find  pairs  of  elements  ej  * Sj  and  62  < S2  such  that 

P 3 ei  » 62  . 

Whenever  we  find  such  a pair  of  equal  expressions  we  remove  them  from  the  multisets 
and  continue  with  the  smaller  multisets,  attempting  to  show 

P 3 Si  - {ej}  - S2  - {82}  . 

The  following  iteration  will  remove  pairs  of  equal  elements  from  Si  and  82^ 
do 

X < $1  A y ( $2  A [P  3 x»y]  ->  Si  »-  Si  - {x}:  S2  *-  S2  - {y} 
od 

Once  again  we  have  used  Dijkstra’s  iterative  guarded  command  construct.  The  guard  is 
intended  to  be  a rather  elaborate  pattern  match  operation  which  means  "find  x ( $1  and  y < 
$2  such  that  ’P  3 x-y’  is  true".  If  the  pattern  match  succeeds,  the  variables  x and  y are 
bound  to  the  matching  elements,  the  action  to  the  right  of  the  arrow  is  executed,  and  the 
iteradon  continues.  If  the  pattern  match  fails,  the  iteration  terminates. 

If  might  seem  that  writing  the  loop  the  way  we  did  makes  the  algorithm  obscure.  We 
could  as  well  have  written  the  following  doubly  nested  loop. 

for  all  X < $1  do 
for  all  y < $2  do 
if  [P  3 x-y] 
then 

( $1  ^ $1  - {x}; 

S2  *■  S2  - {y} 

) . 

However,  we  felt  that  the  explicit  double  loop  structure  precludes  opportunities  for 
optimization  which  could  be  important  in  an  actual  implementation. 

If  this  iteration  succeeds  in  reducing  Si  and  $2  to  empty,  then  formula  (10),  and  hence 
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formula  (1),  are  TRUE,  and  the  decision  procedure  terminates.  However,  if  Sj  and  $2  are 
not  reduced  to  empty,  it  is  not  necessarily  the  case  that  (10)  is  FALSE,  as  we  explain  in  the 
next  step. 

Step  A: 


Once  all  such  pairs  of  elements  which  are  equal  as  a consequence  of  P have  been 
removed,  the  remaining  multisets  still  may  or  may  not  be  equal.  It  may  happen  that  under 
one  assignment  of  values  to  the  program  variables  the  multiset  elements  are  pairwise  equal 
according  to  one  correspondence,  and  under  another  assignment  the  elements  are  pairwise 
equal  under  a different  correspondence.  There  might  be  no  two  elements  which  are 
pairable  under  all  assignments.  Probably  the  simplest  example  of  this  phenomenon  is  the 
following: 

TRUE  o {V[i],<V,i,l>[j]}  - (V[j],<V.j,l>[i]}  . 

In  any  assignment  in  which  i*j  holds,  the  multisets  are  equal  because  their  first 
elements  are  equal  and  their  second  elements  are  equal.  And  in  any  assignment  in  which  i.^j 
holds,  the  multisets  are  also  equal,  but  the  elements  are  paired  according  to  the  other 
correspondence.  Thus,  the  multisets  are  equal  under  all  assignments,  but  there  is  no  pair  of 
elements  which  are  equal  under  all  assignments. 

In  order  to  decide  the  truth  of 

(11)  P = $1  - $2 

we  rewrite  the  formula  as 

(12)  P=>{nij|i<k}«{nj|i<k} 

Formula  (12)  is  equivalent  to 

(13)  P A ( m^-nj  V mj«n2  v ...  v mj-n|^  v (m^r^n^  a a ...  a m^»<n^  )) 

3 { mj  I i < k } » { nj  1 i < k ) . 

Formula  (13)  can  be  broken  up  into  smaller  formulas  such  that  (13)  is  true  if  and 
only  if  all  of  the  following  k'*’!  formulas  are  true. 

(14)  P A mj-nj  3 { rtij  1 i < k } - { nj  1 i $ k} 

P A rn^-n)^  I ' ^ I'  ) ■ { rij  1 i s k } 

P A ( mj/n^  A a ...  a mj>^n|^)  3 { mj  | i < k } » { nj  | i < k } 

Each  of  the  formulas  of  (14)  can  in  turn  be  further  simplified  as 
follows: 

(15)  P A mj-nj  3{mj|2<i<k}-{nj|i<kAi><l  j 


r 
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P A 3{mjl2si<k}-{nj(i<kAi^K) 

(15*)  PAfmjf^njA  m^^ri2  A ...  a 3 FALSE 

We  abbreviate  (15*)  as 
( 1 6*)  P 3 (mj  ( $2) 

In  (15)  all  of  the  multisets  are  smaller  by  one  than  those  in  (11).  This  fact  forms  the 
basis  of  a recursive  procedure  for  proving  (or  disproving)  formula  (11).  We  define  a 
recursive  procedure  TESTE0UAL(P,Si,S2)  which  returns  TRUE  or  FALSE  according  to  the 
truth  of  (12).  The  multisets  Sj  and  S2  must  have  the  same  number  of  expressions  in  them. 
TESTEQUAL  works  in  four  steps. 

(1)  If  Sj»S2”{}.  the  procedure  returns  TRUE  immediately. 

(li)  As  an  optimization  the  procedure  then  checks  that  P is  satisfiable.  If  P is  unsatisfiable, 
TESTEQUAL  returns  TRUE  immediately. 

(iii)  Choose  an  element  mj  from  Sj  and  break  (11)  into  the  first  k-cases  of  (15).  Call 
TESTEQUAL  recursively  to  test  them.  The  recursive  calls  must  all  return  true,  or 
TESTEQUAL  returns  false. 

(iv)  Test  (16*)  and  return  its  truth  value. 


Here  is  the  body  of  the  procedure  in  an  Algol-like  syntax. 

Boolean  procedure  TESTEQUAL(P,Sj,S2): 
begin 

formula:  P,R; 

multiset  of  integer  expressions:  S|,S2: 
integer  expressions:  x,yj 


Comment:  Sj  and  S2  must  have  equal  cardinality; 
if  |Sjl><|S2l  then  abort; 

Comment:  Null  multisets  are  always  equal; 
if  Sj-{)  then  return  TRUE; 

Comment:  Check  that  P is  satisfiable; 
if  ['P]  then  return  TRUE; 

Comment:  Check  all  cases  of  (15)  except  (15*); 

X ♦-  choice(Sj); 
for  all  y ( $2  do 

If  not  TESTEQUAL(P  a x-y  , Sj  - {x}  , $2  - {y}  ) then  return  FALSE; 
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Comment:  Return  the  result  of  (16*); 
return  [P  3 (x  < $2)] 


Again  we  use  [P]-notation  as  a Boolean  expression  meaning  "P  is  true".  Of  course  we 
only  use  this  notation  when  P is  a formula  in  a theory  known  to  be  decidable.  The  choice 
function  merely  returns  some  (raridom)  element  of  its  multiset  argument.  We  have  been 
rather  loose  with  some  of  the  syntax  in  this  program,  but  we  trust  that  the  reader  will  be 
able  to  supply  the  missing  interpretations  from  the  discussion  above. 

A few  additional  remarks  should  be  made  about  the  decision  procedure  we  have 
described  above.  Our  experience  indicates  that  for  the  kinds  of  programs  people  actually 
write,  step  A of  our  decision  procedure  is  unnecessary;  if  the  verification  condition  is  in  fact 
a th'»orem,  this  is  established  by  step  3.  Therefore,  if  this  decision  procedure  is  embedded 
in  a real  verifier,  it  might  be  wise  to  issue  a warning  message  to  the  user  before  (or  instead 
of)  proceeding  to  step  A,  since  the  worst  case  complexity  of  the  TESTEQUAL  is  at  least  n!  in 
the  size  of  the  multiset  arguments. 

We  have  only  treated  the  case  that  the  values  of  the  array  elements  are  int  ?ger. 
However,  the  procedure  can  be  adapted  for  arrays  of  reals  if  the  allowed  operations  on 
reals  are  within  Tarskian  arithmetic  [Tarski].  As  a matter  of  fact,  the  decision  procedure 
can  be  adapted  for  any  data  type  in  which  the  equality  among  terms  is  decidable. 

We  observe  the  procedure  for  reals.  The  formula  we  are  going  to  deal  with  has  the 

form 


P A Perm(A,AO)  o Perm(B,AO) 

where  A and  B are  terms  of  sort  array  of  reals  and  P is  an  unquantified  well-formed 
formula  of  the  two-sorted  theory  of  integers  and  reals.  The  restriction  here  is  that  we  do 
not  altow  any  mixed  sort  terms  or  atomic  formulas,  so  that  you  cannot  equate  or  add  terms 
of  integer  and  real.  Because  of  this  restriction  one  cannot  use  a real  term  to  be  the  index 
into  an  array. 

The  procedure  described  in  this  section  can  be  carried  out  without  modification,  except 
where  we  have  to  test  the  truth  of  particular  unquantified  formulas.  In  such  cases  we  can 
apply  the  procedure  of  the  previous  section  to  eliminate  arrays.  Then  we  can  transform 
the  formula  to  conjunctive  normal  form.  All  of  the  conjuncts  have  to  be  valid.  Each 
conjunct  consists  of  disjunction  of  atomic  formulas  and  we  can  split  these  atomic  formulas 
into  (wo  classes,  one  for  integer  and  the  other  for  real.  The  validity  of  both  disjunctions 
are  independent,  and  we  can  use  the  separate  decision  procedures  for  integer  and  real. 
Thus,  we  can  decide  the  permutation  property  of  arrays  of  real  with  the  same  basic 
algorithm. 
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Example 

The  following  is  an  insertion  sort  program.  We  can  show  that  the  final  array  is  the 
permutation  of  the  initial  array  by  the  decision  procedures  given  in  this  paper. 

The  annotated  program  is 

assert  Perm(A.AQ); 

J 

invariant  PermfA.AQ) 
while  J<N  do 
begin 
KEY-A[J]i 
l-J-l; 

up;  assert  Perm(<A,l+l,KEY>,AQ); 
if  A[I]<KEY  then  goto  exit; 

A[l*l]-A[l]; 

I-I-l; 

if  ]>1  then  goto  up; 
exit;  A[l4l]*-KEY; 

J-J+1 

end; 

assert  Perm(A,AQ); 

Since  this  program  conforms  to  the  restrictions  of  the  Presburger  array  programs  with 
Perm(A,AQ)  assertions,  its  correctness  is  decidable. 

The  verification  conditions  are 

1)  Perm(A,AQ>  3 Perm(A,AQ) 

2)  Perm(A,AQ>  a J<N  3 Perm(<A,J,A[J]>,AQ) 

3)  Perm(A.AQ)  a - J<N  3 Perm(A,AQ) 

A)  A[]]<KEY  A Perm{<A,l>l,KEY>.AQ)  3 Perm(<A,I+l,KEY>,AQ) 

5)  1<I-1  A -A[I]<KEY  A Perm(<A,l  + l,KEY>,Ao)  =>  Perm(«A,l+l,A[I]>,I,KEY>,Ao) 

6)  A[I]<KEY  A Perm(<A,M,KEY>,Ao)  = Perm{<A,I+l,KEY>,Ao) 

7)  -1<1-1  A -A[1]<KEY  A Perm(<A,I+l,KEY>,AQ)  o Perm(«A,l+ 1 ,A[I]>,1,KEY>,Aq). 

The  non-trivial  verification  conditions  are  5)  and  7),  which  are  very  similar.  Let  us 
examine  5). 


VC  5;  lSl-1  A -A[I]<KEY  a Perm(<A,I*l,KEY>,Ao)  = Perm(«A,I+ 1,A[I]',I,KEY>.Aq) 
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Step  1 Transform  to 

1<1-1  A -A[1]<KEY  3 Perm(<A,I*l,i<EY>,«A,l+l,A[I]>,l,KEY>) 

Step  2 The  base  array  variables  of  the  two  array  terms  are  the  same;  proceed. 

Step  3 

Im  - 

Dm  - iA[M]} 

In  - »A[I]  . KEY} 

Dm  - {a[ui].<a,i*i,a[i]>[I]}. 

Transform  to  P 3 ' ®- 

1<1-1  A -A[I]<KEY  3 {KEY  , A[Ii-l]  , <A.1-^1,A[I]>[I]}-(A[I]  , KEY  , A[I+1]}. 

By  inspection  we  can  see  that  the  two  multisets  would  be  reduced  to  empty  by  Step  3, 
because 

1<M  A -A[i]<KEY  3 KEY-KEY 
1<I-1  A ^A[I]<KEY  3 A[I+1]-A[1+1] 

1<I-1  A -A[I]<KEY  3 <A,I+1,A[I]>[I]-A[I] 

Step  A Unnecessary,  because  step  3 reduced  the  multisets  to  null. 


5.  Conclusion 


Unlike  the  decidability  results  for  program  schemata,  verification  decidability  is  not 
influenced  by  the  control  structure  of  programs.  That  is,  the  decidability  results  are  not 
sensitive  to  individual  programming  style  or  to  variations  in  algorithms  for  the  same  task. 

Our  permutation  decidability  results  can  be  applied  to  almost  alt  of  the  sorting 
programs  people  usually  write.  We  therefore  feel  that  the  methods  developed  in  this  paper 
shows  the  value  of  having  domain  specific,  specially  interpreted  predicates  such  as  Perm  in 
the  assertion  language.  Had  we  not  used  the  Perm  predicate  as  we  did,  we  might  have  had 
to  write  a second-order  formula  to  express  the  same  thing,  such  as  the  following: 

Perm(M,N)  - (3F)(VxKYy)[  F(x)  - F(y)  o x - y a M[x]  - N[F(x)]  ] 

It  seems  very  unlikely  that  verification  conditions  allowing  this  kind  of  quantification  over 
functions  will  be  decidable. 

The  next  target  of  our  research  will  be  the  orderedness  properties  of  Presburger 
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arrays.  Eventually  we  hope  to  find  a single  assertion  language  in  which  the  inductive 
assertions  for  both  the  orderedness  and  permutation  properties  of  ordinary  sort  programs 
can  be  expressed,  and  for  which  we  can  find  an  algorithm  to  decide  the  resulting 
verification  conditions. 

There  are  various  other  directions  that  future  research  in  this  area  might  take.  For 
each  algorithm  domain  we  should  try  to  establish  assertion  vocabularies  for  which  the 
resulting  verification  conditions  are  decidable.  When  decision  procedures  are  discovered, 
they  should  be  formulated  in  such  a way  that  they  can  provide  useful  debugging  information 
when  a proof  fails.  And,  of  course,  a long  range  goal  is  to  build  a verifier  which  can 
recognize  programs  of  the  decidable  domains,  and  verify  them  without  human  aid. 


Bibliography 


[Dijkstra]  Dijkstra,  E.W.,  A Discipline  of  Programminr.  Prentice-Hall,  1976. 

[Hilbert]  Hilbert,  D.  and  Bernays,  P.,  Grundlasen  der  Mathematik  I. 
Springer-Verlag,  1968. 

[Kaplan]  Kaplan,  D.,  Some  Completeness  Results  in  the  Mathematical 
Theory  of  Computation,  JACM,  Vol.l5,  No.l,  pp.l2A-134,  1968. 

[King]  King,  1 C.,  A Program  Verifier,  Ph.D.  thesis,  Carnegie-Mellon 
University,  1969. 

[Knuth]  Knuth,  D.E.,  The  Art  of  Computer  Programming,  Vol.2,  Addison-Wesley. 

[McCarthy]  McCarthy,  J.,  Towards  a Mathematical  Science  of  Computation, 
Proc.  of  IFIP  Congress  62.  pp.21-28,  IMorth-Holland  Publishing 
Company,  Amsterdam,  1962. 

[Suzuki]  Suzuki,  N.,  Verifying  Programs  by  Algebraic  and  Logical 

Reduction,  Proc.  Inti.  Conf.  on  Reliable  Software.  Sigplan  Notices, 

Vol.lO,  No.6,  June,  1975. 

[Tarski]  Tarski,  A.,  A Decision  Method  for  Elementary  Algebra  and  Geometry. 
RAND  Corporation,  Santa  Monica,  Ca.,  1948. 


